<html>
<head><meta charset="utf-8"><title>flatbuffer unsoundness · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html">flatbuffer unsoundness</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="238117156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/flatbuffer%20unsoundness/near/238117156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tethys Svensson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html#238117156">(May 10 2021 at 10:22)</a>:</h4>
<p>I've found (and filed) a bunch of new soundness issues in the flatbuffers crate, similar to the two existing RUSTSEC advisories. They are all more or less the same kind of bug: semi-internal helper functions for serializing/deserializing doing unsound pointer arithmetic/transmutes. However they are spread out over a bunch of different functions/traits in different parts of the library. Should I file a single report for all of them, or does it make more sense to make individual reports for each of them?</p>
<p>I am not sure if they are all be easily fixable, so some of them might be open for a while.</p>



<a name="238117286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/flatbuffer%20unsoundness/near/238117286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html#238117286">(May 10 2021 at 10:23)</a>:</h4>
<p>Can you link the upstream issue reports for context?</p>



<a name="238117401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/flatbuffer%20unsoundness/near/238117401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tethys Svensson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html#238117401">(May 10 2021 at 10:24)</a>:</h4>
<p><a href="https://github.com/google/flatbuffers/issues/6627">https://github.com/google/flatbuffers/issues/6627</a><br>
<a href="https://github.com/google/flatbuffers/issues/6628">https://github.com/google/flatbuffers/issues/6628</a><br>
<a href="https://github.com/google/flatbuffers/issues/6629">https://github.com/google/flatbuffers/issues/6629</a><br>
<a href="https://github.com/google/flatbuffers/issues/6630">https://github.com/google/flatbuffers/issues/6630</a><br>
<a href="https://github.com/google/flatbuffers/issues/6631">https://github.com/google/flatbuffers/issues/6631</a><br>
<a href="https://github.com/google/flatbuffers/issues/6632">https://github.com/google/flatbuffers/issues/6632</a></p>



<a name="238117681"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/flatbuffer%20unsoundness/near/238117681" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html#238117681">(May 10 2021 at 10:26)</a>:</h4>
<p>I think it would be neater to consolidate them in one advisory. Otherwise it will just completely flood the output of <code>cargo audit</code></p>



<a name="238139505"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/flatbuffer%20unsoundness/near/238139505" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/flatbuffer.20unsoundness.html#238139505">(May 10 2021 at 13:14)</a>:</h4>
<p>And thanks a lot of reporting those issues!</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>